SSL exceptions occur on start up or no connections

Troubleshooting for SSL connections for client-to-node encryption and node-to-node encryption when exceptions occur on start up or no connections to the DSE database can be established.

Follow these steps to troubleshoot SSL connections when exceptions occur on start up, or no connections to the database can be established.

Procedure

  • To enable debugging, add the following option to cassandra-env.sh:
    -Djavax.net.debug=ssl

    Detail startup and connection messages are printed to STDOUT, including SSL handshake errors. See Debugging SSL/TLS Connections for message details.

  • Verify SSL encryption messages in /var/log/cassandra/system.log.
    • SSL starts properly:
      • For client-to-server connections:
        INFO  [main] 2017-06-15 21:50:41,928  Server.java:145 - Enabling encrypted CQL connections between client and server
        
      • For node-to-node messaging:
        INFO  [main] 2017-06-15 21:50:23,037  MessagingService.java:702 - Starting Encrypted Messaging Service on SSL port 7001
        
        
    • SSL fails to start:
      • Truststore or keystore file not found:
        Caused by: org.apache.cassandra.exceptions.ConfigurationException: Failed to initialize SSL
        
        ...
        
        Caused by: java.io.FileNotFoundException: resources/dse/conf/.truststore (No such file or directory)
        
        
        Note: Example shows when the default setting was not changed for node-to-node.
      • Truststore or keystore password is invalid:
        Caused by: java.io.IOException: Error creating the initializing the SSL Context
        
        	at org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:201)
        
        	at com.datastax.bdp.node.transport.SSLOptions.getDefault(SSLOptions.java:82)
        
        ....
        
        Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        
        
        Note: Example show when password of keystore for node-to-node is incorrect.